Data
Protection
1. Introduction
dozfx is a creative orchestration platform and digital creative agency operated by dozfx Digital Creative Ltd, a company incorporated in the Republic of Cyprus. Our services combine human creative expertise with an AI-assisted intake system that helps prospective and existing clients describe their projects, organise the relevant information and produce structured project briefs before a human takes the work forward.
Because our platform is built around a guided, conversational intake process, protecting the information you share with us — from a first message on our intake system to the delivery of a finished creative project — is central to how we operate. This Data Protection Policy explains what personal data we collect through our website, our platform and our AI intake system, why we process it, the legal grounds we rely on, how long we keep it, who we share it with and the rights you have.
We process personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Cyprus Law 125(I)/2018 providing for the protection of natural persons with regard to the processing of personal data, and applicable Cyprus rules governing privacy in electronic communications. Where this Policy refers to “we”, “us”, “our” or “dozfx”, it refers to dozfx Digital Creative Ltd.
Please read this Policy together with the documents referred to in Section 20 (Related Legal Documents).
2. Data Controller
For the personal data described in this Policy, the data controller is:
dozfx Digital Creative Ltd Spyrou Kyprianou 19, Silver House 3070 Limassol, Cyprus
- Company Registration Number: HE 483823
- Tax Identification Code (TIC): 60259097W
- VAT Identification Number: CY60259097W
- Website: https://www.dozfx.com
- Platform: https://www.dozfx.io
- AI Intake System: https://chat.dozfx.io
- Email: hello@dozfx.com
- Managing Director: Thomas “Joe” Hahn
If you have any question about this Policy or about how we handle your personal data, or if you wish to exercise any of your rights under GDPR, you can contact us at any time at hello@dozfx.com.
3. Scope of this Policy
This Policy applies to the processing of personal data carried out through:
- our corporate website at https://www.dozfx.com;
- our platform at https://www.dozfx.io; and
- our AI intake system at https://chat.dozfx.io.
It covers visitors to our website, prospective clients who begin a conversation through our intake system, clients who engage us for creative services, and other individuals who communicate with us in a business context.
Controller and processor roles. dozfx acts as the controller of the personal data you provide directly to us — for example, your name, contact details, the business information you share and the messages you exchange with us — because we determine the purposes and means of processing that data. In relation to personal data that may be contained within project materials you upload (such as information relating to your own employees, customers or other third parties), dozfx’s role depends on the nature of the engagement: depending on the nature of the engagement, dozfx may process certain project information either as an independent controller or, where agreed and legally appropriate, as a processor acting on behalf of the client. Where dozfx acts as a processor, the applicable terms are set out in our engagement with you. This Policy does not apply to third-party websites, platforms or services that may be linked from our website or platform. Those services are governed by their own privacy policies, and we encourage you to review them.
4. Information We Collect
4.1 Information You Provide
When you use our intake system, communicate with us or engage our services, you may voluntarily provide the following categories of information:
- Identity and contact details: name, company, email address and phone number.
- Business information: your industry, business background and other details you choose to share about your organisation.
- Project information: project descriptions, objectives, budgets, timelines, creative direction and related preferences.
- Communications: chat messages exchanged through the intake system and other correspondence, as well as feedback you provide.
- Project materials you upload: logos, images, videos, PDFs, presentations, brand guidelines, technical documents, references and other project materials.
You decide what to share. Some information is necessary for us to prepare a project brief, prepare a quotation or deliver a service; if you choose not to provide it, we may be unable to assist you effectively. Please only submit information that you are entitled to disclose (see Section 8 and Section 15).
4.2 Information Collected Automatically
When you access our website, platform or intake system, certain information is collected automatically, primarily to keep the service running securely and reliably:
- IP address;
- browser information;
- device information;
- operating system;
- session identifiers;
- log files;
- cookies (see Section 9);
- security logs; and
- technical diagnostics.
We do not use automatically collected information to build advertising or marketing profiles about you.
5. How We Use Your Information
We process personal data only for legitimate business purposes connected with operating our platform and delivering our services, namely to:
- generate structured project briefs from the information you share;
- organise and manage project information;
- communicate with you about your project, your enquiries and your engagement;
- prepare quotations and proposals;
- deliver the creative services you engage us for and manage the resulting projects;
- provide customer support;
- maintain the security of our platform and prevent fraud and misuse;
- comply with our legal and regulatory obligations; and
- monitor, maintain and improve the functionality and reliability of our platform.
We do not sell your personal data, and we do not use it for automated advertising.
Data minimisation. In line with the principles set out in Article 5 GDPR — including lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity and confidentiality — we only request and process the information that is reasonably necessary to provide the services you ask for. We encourage you to share only the information relevant to your project and to avoid submitting unnecessary personal information.
6. The dozfx Intake System
The dozfx Intake System is the core of our platform. It is designed to make the start of a creative project structured, efficient and clear for both you and our team.
6.1 Guided Project Intake
Projects with dozfx typically begin through a structured, AI-powered conversation on our intake system at https://chat.dozfx.io. The intake system guides you through a series of questions about your business, your objectives and your project, so that the information we need is captured in a clear and organised way. The content of that conversation — including anything you type and any materials you upload — is processed to support the intake and preparation of your project.
6.2 AI-Generated Project Briefs
The information gathered during intake is organised and summarised with the assistance of artificial intelligence to produce a structured project brief. This brief consolidates your objectives, requirements and supporting materials into a consistent format that our team can review and act upon. The purpose of the brief is to prepare a project for human assessment — not to make any decision about it.
6.3 Human Review & Validation
Human review is a fixed part of our workflow. While AI helps prepare and organise information, all commercial decisions — including quotations, project acceptance and the terms of any engagement — are made by our team. No decision that produces legal effects concerning you, or that similarly significantly affects you, is made solely by automated means. Human validation is applied before a project moves forward, and you can always speak to a member of our team.
6.4 Returning Clients & Project Continuity
To provide a coherent experience across sessions and projects, our platform uses session management and a project-memory capability so that returning clients do not have to repeat information unnecessarily. This allows us to recognise a returning client, maintain continuity between related conversations and build on the context of previous projects. This continuity information is used solely to support your projects and your relationship with dozfx, and is retained in accordance with Section 13.
7. Artificial Intelligence Processing
Artificial intelligence is integrated into our platform to support the preparation of creative projects. Specifically, AI is used to:
- organise project information;
- summarise conversations;
- generate structured project briefs;
- assist with the preparation of projects; and
- improve the efficiency of our workflow.
To provide these features, we use AI services supplied by OpenAI, including large language model processing (OpenAI GPT-5) and text embeddings (OpenAI Embeddings). Embeddings allow relevant project information to be organised and retrieved to support continuity between sessions, as described in Section 6.4.
Depending on the nature of a project, we may also use other carefully selected third-party AI and creative technology services to support research, drafting, image generation, video generation, enhancement, analysis, prototyping and workflow automation. These services are used solely as supporting tools within our human-led creative workflow. We take reasonable steps to avoid submitting unnecessary personal data and only provide information that is required for the requested service.
We want to be clear about how this processing works and about its limits:
- AI assists humans; it does not replace them. AI is used only to prepare, organise and summarise information.
- AI providers process your information solely to deliver the requested functionality. Information you submit through the platform is transmitted to our AI service provider and processed only to provide the AI features described above, in accordance with the applicable data processing terms (see Section 10 and Section 11).
- Human review of AI output. AI-generated output — including project briefs and summaries — is reviewed by our team where appropriate before it is relied upon.
- AI does not make commercial, contractual or legally binding decisions. Quotations, project acceptance and engagement terms are always determined by our team, and human validation is a standard part of our workflow. For this reason, the processing carried out through our intake system does not constitute automated decision making producing legal or similarly significant effects within the meaning of Article 22 GDPR.
Because these features rely on the information you choose to share, we encourage you to submit only the information reasonably necessary for your project and to avoid providing unnecessary personal information or highly sensitive information (see Section 5 and Section 15).
8. File Uploads & Project Materials
Our platform allows you to upload files — such as logos, images, videos, PDFs, presentations, brand guidelines, technical documents and other references — so that we can prepare and deliver your project. Uploaded files are stored using our storage provider (see Section 10) and are processed solely for the purpose of preparing and delivering the project they relate to.
Please note the following:
- Only upload information you own or are authorised to disclose. You are responsible for ensuring that you have the necessary rights and permissions for any material you submit, including any personal data, confidential information or intellectual property belonging to third parties.
- Purpose limitation. Uploaded files are used only for project preparation, project management and service delivery. They are not used for unrelated purposes.
- Security. We apply appropriate technical and organisational measures to protect uploaded files, as described in Section 14.
- No absolute security. While we take security seriously, no method of transmission over the internet and no method of electronic storage is completely secure. We cannot guarantee absolute security, and you share files at your own discretion.
Where your uploaded materials contain personal data relating to third parties, dozfx’s role in respect of that material is determined by the nature of the engagement, as explained in Section 3.
9. Cookies & Session Technologies
Our website, platform and intake system use a limited set of cookies and similar session technologies that are strictly necessary for the service to function securely. We use:
- Essential cookies — required for the basic operation and integrity of the platform;
- Session cookies — used to manage your session and maintain continuity while you use the intake system;
- Authentication cookies — used to keep you securely signed in to your account; and
- Security cookies — used to help protect the platform and detect misuse.
We do not use cookies or similar technologies for any purpose beyond operating, securing and maintaining the platform. The cookies described above are strictly necessary to provide the service you request. Under applicable Cyprus rules on privacy in electronic communications, and consistent with the ePrivacy framework, strictly necessary cookies of this kind do not require prior consent, because the platform cannot function or be kept secure without them. You can control or delete cookies through your browser settings; however, disabling essential, session, authentication or security cookies may prevent parts of the platform — including sign-in and the intake system — from working correctly.
10. Third-Party Service Providers
We work with a small number of specialist providers to host, operate and secure our platform and to deliver its AI features. These providers process personal data on our behalf, as processors under Article 28 GDPR, and only in accordance with our instructions and the applicable data processing terms. Our current providers are: OpenAI and other selected AI and creative technology providers, AI-assisted text processing, project brief generation, research support, creative generation, image and video generation, enhancement, analysis and workflow support, depending on project requirements.
We do not permit these providers to use your personal data for their own independent purposes. Where a provider engages its own sub-processors to support the service, it remains responsible to us for their compliance under the relevant data processing terms.
11. International Data Transfers
Some of our providers may process personal data outside the European Economic Area (EEA), including in countries that have not received an adequacy decision from the European Commission.
Where personal data is transferred outside the EEA, we ensure that an appropriate transfer safeguard under Chapter V of the GDPR is in place wherever such a safeguard is legally required — in particular, Standard Contractual Clauses (SCCs) adopted by the European Commission, transfers to recipients covered by a relevant adequacy decision, or another equivalent mechanism recognised under the GDPR. These safeguards are designed to ensure that your personal data continues to benefit from a level of protection consistent with EU law wherever it is processed.
If you would like more information about the transfer mechanisms we rely on, you can contact us at hello@dozfx.com.
12. Legal Basis for Processing (GDPR)
We process personal data only where we have a lawful basis to do so under Article 6 GDPR. Depending on the situation, we rely on one or more of the following:
- Consent — Article 6(1)(a). Where we ask for your consent to a specific processing activity (for example, certain optional communications). Where processing is based on consent, you may withdraw it at any time, as described in Section 16, without affecting the lawfulness of processing carried out before withdrawal.
- Performance of a contract — Article 6(1)(b). To take steps at your request before entering into a contract and to perform our contract with you — including operating the intake system, preparing project briefs and quotations, delivering our creative services, managing your project and communicating with you about your engagement.
- Compliance with a legal obligation — Article 6(1)(c). To comply with obligations to which we are subject under Cyprus and EU law, such as accounting, tax and record keeping obligations, and responding to lawful requests from competent authorities.
- Legitimate interests — Article 6(1)(f). Where necessary for our legitimate interests or those of a third party, provided these are not overridden by your interests or fundamental rights. Our legitimate interests include securing our platform, preventing fraud and misuse, maintaining and improving the functionality of our services, responding to business enquiries and managing our client relationships. Where we rely on this basis, we carry out a balancing assessment, and you have the right to object as described in Section 16.
13. Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected. In particular, project related information may be retained where reasonably necessary for:
- ongoing services that we provide to you;
- future collaboration on related or follow-on work;
- returning-client continuity, so that you do not need to repeat information unnecessarily (see Section 6.4);
- contractual obligations, for the duration of and in connection with our engagement; and
- legal obligations, including invoicing, accounting and tax records retained for the periods prescribed by applicable Cyprus legislation.
We retain this information unless you request its deletion (see Section 16) or unless applicable law requires us to retain it for a longer period. Limited information, such as security logs, is retained only for the period necessary to protect the platform and to establish, exercise or defend legal claims. When personal data is no longer required for any of these purposes, we delete it or irreversibly anonymise it.
14. Data Security
We apply appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration and loss. These measures include:
- encrypted transmission of data in transit where applicable (for example, via secure HTTPS/TLS connections);
- access controls limiting access to personal data to those who need it;
- authentication measures for access to accounts and administrative functions;
- backups to support availability and recovery;
- monitoring and security logging to detect and respond to threats; and
- organisational measures, including internal policies and confidentiality obligations on those who handle personal data.
Despite these measures, no online platform, method of transmission over the internet or method of electronic storage can be guaranteed to be completely secure. We cannot therefore guarantee absolute security. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Office of the Commissioner for Personal Data Protection, and, where the breach is likely to result in a high risk to you, we will inform you, in each case in accordance with Articles 33 and 34 GDPR.
15. Confidential Business Information
We understand that the information you share with dozfx — including project descriptions, objectives, budgets, creative direction and uploaded materials — is often commercially sensitive.
- Confidential treatment. dozfx treats submitted project information as confidential and uses it only to prepare and deliver your project and to manage our relationship with you.
- Safeguards. We implement appropriate technical and organisational safeguards to protect this information, and those who handle it on our behalf are bound by confidentiality obligations.
- Authorised disclosure only. You should submit only information that you own or are otherwise authorised to disclose, including where the information belongs to, or concerns, third parties.
- Avoid unnecessary sensitive data. You should avoid submitting highly sensitive personal information — such as special categories of data within the meaning of Article 9 GDPR — unless it is genuinely necessary for the services you have requested.
- No absolute guarantee. As with all information transmitted over the internet, absolute confidentiality and security cannot be guaranteed. Any specific confidentiality arrangements between you and dozfx are set out in the terms of our engagement (see Section 20).
16. Your Rights Under GDPR
Subject to the conditions and exceptions in the GDPR, you have the following rights in relation to your personal data:
- Right of access (Article 15) — to obtain confirmation of whether we process your personal data and a copy of that data.
- Right to rectification (Article 16) — to have inaccurate personal data corrected and incomplete data completed.
- Right to erasure (Article 17) — to have your personal data deleted where the conditions are met.
- Right to restriction (Article 18) — to have the processing of your personal data restricted in certain circumstances.
- Right to data portability (Article 20) — to receive personal data you provided to us in a structured, commonly used and machine-readable format, and to have it transmitted to another controller where technically feasible.
- Right to object (Article 21) — to object to processing based on our legitimate interests, on grounds relating to your particular situation.
- Right to withdraw consent (Article 7(3)) — where processing is based on consent, to withdraw that consent at any time, without affecting the lawfulness of processing before withdrawal.
- Right to lodge a complaint (Article 77) — to lodge a complaint with a supervisory authority.
To exercise any of these rights, please contact us at hello@dozfx.com. We will respond without undue delay and in any event within one month of receiving your request, as required by Article 12 GDPR, unless the request is complex or numerous, in which case we may extend this period and will inform you accordingly. We may need to verify your identity before acting on a request. Exercising these rights is generally free of charge, although we may charge a reasonable fee, or decline to act, where a request is manifestly unfounded or excessive.
If you believe that our processing of your personal data does not comply with data protection law, you have the right to lodge a complaint with the Cyprus supervisory authority:
Office of the Commissioner for Personal Data Protection Kypranoros 15, 1061 Nicosia, Cyprus P.O. Box 23378, 1682 Nicosia, Cyprus Telephone: +357 22 818 456 Email: commissioner@dataprotection.gov.cy Website: http://www.dataprotection.gov.cy
You may also lodge a complaint with the supervisory authority in your EU country of residence or place of work. We would, however, appreciate the chance to address your concerns directly before you do so.
17. Children’s Privacy
Our platform and services are intended for businesses and professionals and are not directed at individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected personal data from a person under 18 without appropriate authorisation, we will take steps to delete that data promptly. If you believe that a person under 18 has provided us with personal data, please contact us at hello@dozfx.com.
18. Changes to this Privacy Policy
We may update this Policy from time to time to reflect changes in law, technology, our services or our business practices. Where we make changes, we will indicate this by updating the effective date of this Policy and, where the changes are material, we will take reasonable steps to bring them to your attention. We encourage you to review this Policy periodically. Your continued use of our website, platform or intake system after an update takes effect indicates that you are aware of the current version.
19. Contact
If you have any questions, concerns or requests regarding this Policy or your personal data, please contact us:
dozfx Digital Creative Ltd Spyrou Kyprianou 19, Silver House 3070 Limassol, Cyprus
- Email: hello@dozfx.com
- Website: https://www.dozfx.com
- Company Registration Number: HE 483823
- Tax Identification Code (TIC): 60259097W
- VAT Identification Number: CY60259097W
20. Related Legal Documents
This Policy should be read together with the following documents, which govern other aspects of your relationship with dozfx:
